Back to the list

Some white hat hacker behavior is ‘weird,’ Ledger CTO says

source-logo  blockworks.co 22 June 2024 00:00, UTC

The back and forth between CertiK and Kraken this week left more questions than answers.

So to get some potential answers — and to pick his brain — Blockworks chatted with Ledger Chief Technology Officer Charles Guillemet.

Outside of the use of Tornado Cash by the US-based CertiK, he also highlighted the withdrawal of XMR — a privacy coin on Monero, in case you’ve skipped some of Empire’s previous segments — as suspicious because, well, it’s a privacy coin.

Add ChangeNow, a self-styled non-custodial exchange, into the mix. In Guillemet’s experience, ChangeNow is generally one of the top picks for attackers who are trying to hide crypto. It’s often used by bad actors because it doesn’t require proper KYC checks before facilitating swaps from one token to another.

It was also weird that there were video calls between CertiK and Kraken. And don’t even get him started on the millions withdrawn (he maintains you can exploit as little as $5 to prove the bug and then report it for a bounty).

Read more: Empire Newsletter: DJT and Kraken bring the drama

However, the five-day time period in which the researchers were testing the exploit isn’t that strange.

“So the five day period is not suspicious, per se. But what is suspicious is what they did during the meantime,” he told Blockworks.

The silver lining in this is the speed in which Kraken assessed the issue (47 minutes, according to Kraken’s Chief Security Officer Nick Percoco) and investigated the issue.

“Kraken had everything in place in order to verify what happened on their platform and to find out that the vulnerability was actually exploited several times, by three accounts and not only by one,” he added.

Guillemet was in the security world before swapping over to crypto in 2017.

With that experience, he said that the “behavior that we see in blockchain and crypto when it comes to white hat [hacking] is really weird from my standpoint.”

Read more from our opinion section: We need to talk about the dangers of custody on exchanges

“Sometimes you have a white hat, supposedly, who finds a vulnerability on some smart contract. It completely drains the smart contract and then gives back like 90%, choosing its reward [of] 10%. This kind of behavior, for me, is extortion. It seems to be okay. It seems to be white hat behavior,” Guillemet continued.“But I completely disagree with this. When you do security research, you don’t choose your reward.”

“In crypto, it’s not always the case, and it’s a bit disturbing for me, and it’s also disturbing for other security guys in the field.”

CertiK said it wasn’t trying to exploit or “extort” funds from the exchange, unlike claims made by Percoco. On Thursday, Kraken confirmed it received the funds back sans a bit lost to fees.

The simplest way to improve the space is obviously investing in security, but the more difficult path forward is for security teams to stay humble, Guillemet said.

“Attackers will get better and better and we as an ecosystem must be humble and always raise the bar for security because this is a cat-and-mouse game and the stakes are getting higher.”

A shorter version of this article appeared in Friday’s Empire Newsletter. Sign up here to never miss an issue.